{"id":"CVE-2016-7480","details":"The SplObjectStorage unserialize implementation in ext/spl/spl_observer.c in PHP before 7.0.12 does not verify that a key is an object, which allows remote attackers to execute arbitrary code or cause a denial of service (uninitialized memory access) via crafted serialized data.","modified":"2026-04-01T23:54:32.238478Z","published":"2017-01-11T07:59:00.143Z","related":["SUSE-SU-2017:0534-1"],"references":[{"type":"ADVISORY","url":"http://www.securityfocus.com/bid/95152"},{"type":"ADVISORY","url":"https://security.netapp.com/advisory/ntap-20180112-0001/"},{"type":"ADVISORY","url":"http://blog.checkpoint.com/2016/12/27/check-point-discovers-three-zero-day-vulnerabilities-web-programming-language-php-7"},{"type":"ADVISORY","url":"http://php.net/ChangeLog-7.php"},{"type":"ADVISORY","url":"https://www.youtube.com/watch?v=LDcaPstAuPk"},{"type":"FIX","url":"https://github.com/php/php-src/commit/61cdd1255d5b9c8453be71aacbbf682796ac77d4"},{"type":"FIX","url":"https://bugs.php.net/bug.php?id=73257"},{"type":"EVIDENCE","url":"http://blog.checkpoint.com/wp-content/uploads/2016/12/PHP_Technical_Report.pdf"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/php/php-src","events":[{"introduced":"60fffd296abce5fc071f3c173c25a2696cf683c6"},{"fixed":"e2874f7bf990ed58ba6f7abccefa2c00a0447fc7"},{"fixed":"61cdd1255d5b9c8453be71aacbbf682796ac77d4"}],"database_specific":{"versions":[{"introduced":"7.0.0"},{"fixed":"7.0.11"}]}}],"versions":["php-7.0.0"],"database_specific":{"vanir_signatures":[{"signature_version":"v1","digest":{"function_hash":"120263227596398378617375601141451063602","length":2208},"source":"https://github.com/php/php-src/commit/61cdd1255d5b9c8453be71aacbbf682796ac77d4","deprecated":false,"signature_type":"Function","id":"CVE-2016-7480-40b4ffdc","target":{"function":"SPL_METHOD","file":"ext/spl/spl_observer.c"}},{"signature_version":"v1","digest":{"threshold":0.9,"line_hashes":["311234878759843067834920731248114505772","50912414707171288631538515995604057141","162017028089509586153324425077756765976","242884483502019213952707469980360057644","336387103315920007587990593317693867963","21580564470928238072623097181749639560","283797390797428005224407026009247451270","219637822043791896869783149654081588089","178852092846835038102390099040886447181","136146387223299992562308475632779719063","288364703481122890929991226047229929241","126765909629768321856645271021163435983","105038064802166019778237222904298848318","257724883922067736173061222643725001998","38772639687927117305721988887639643782","167676080273695483373820046130328174003","21336750416930265615946273101896440205","242713924649718161698991874615444863252"]},"source":"https://github.com/php/php-src/commit/61cdd1255d5b9c8453be71aacbbf682796ac77d4","deprecated":false,"signature_type":"Line","id":"CVE-2016-7480-8f33d31a","target":{"file":"ext/spl/spl_observer.c"}}],"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2016-7480.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}]}